Login
    Contents x
    Comflow is safe for the log4j attack
    • 20 Oct 2022
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Comflow is safe for the log4j attack

    • Updated on 20 Oct 2022
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Comflow is safe for the log4j attack

    Comflow is safe concerning log4j-attacks! Both within and outside firewall!

    This is due to that Comflow is using Avalon as log framework and Tomcat Java-logger. Though there are log4j components in Comflow-lib, which are only used by other components and not the web server. By manual configuration, the log4j can though be activated for the Tomcat. So to be on the really safe side, we will apply some changes shortly by updating the log4j component to safe versions in coming 2.20 and 2.22 revisions. 2.16 and 2.18 are safe, due to the log4j version is so old, that it does not have the entry for the attack.

    Update 2021-12-17:

    Comflow 2.22.13 is now released with new version of log4j.properties, which adds a prevention of log4j attack.

    In order to add more preventions, update java JRE/JDK for Comflow to the version below or higher:

    • 6u211
    • 7u201
    • 8u191

    Update 2022-02-11:

    Comflow and log4j vulnerability (CVE-2021-44228)

    Backround

    On December 10 2021, the world learned that the Log4j software contained a very serious vulnerability with the identifier CVE-2021-44228. The vulnerability allows attackers to send malicious “messages” into a log server that could be used to execute commands on that server, steal data or even take control of the server using JNDI.

    Comflow and log4j

    Comflow uses a slightly modified version of pax-logging,

    pax-logging has its own implementation of the log4j logging, the log4j api and some implementation classes are copied to the bundles; pax-logging-api and pax-logging-service, why log4j is part of the lib in Comflow. More info here.

    Affected classes in the vulnerability:

    • org.apache.logging.log4j.core.appender.AbstractManager
    • org.apache.logging.log4j.core.appender.mom.JmsManager
    • org.apache.logging.log4j.core.lookup.Interpolator
    • org.apache.logging.log4j.core.net.JndiManager
    • org.apache.logging.log4j.core.selector.JndiContextSelector

    None of the above classes are copied into pax-logging.

    Conclusion

    The log4j vulnerability is not present in pax-logging.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout